I work on a very large privacy project and wanted to get folks take on how you feel about the Fair Information Practice Principles and privacy when it comes to ethical hacking. I've been a part of systems requirements and systems development and the FIPPs are the core of my work on both fronts. Has anyone else considered the FIPPs and privacy when they conduct their business?

I am also hosting an international privacy symposium this summer - I am working to incorporate cyber security into the overall theme - if anyone has any suggestions, I would love to hear them.

infosec703 wrote:I work on a very large privacy project and wanted to get folks take on how you feel about the Fair Information Practice Principles and privacy when it comes to ethical hacking. I've been a part of systems requirements and systems development and the FIPPs are the core of my work on both fronts. Has anyone else considered the FIPPs and privacy when they conduct their business?

I am also hosting an international privacy symposium this summer - I am working to incorporate cyber security into the overall theme - if anyone has any suggestions, I would love to hear them.

Thanks in advance.

The issue with FIPPs, and other "frameworks" is usually, they are very outdated. Think about that very thoroughly. It is 40 years old (http://itlaw.wikia.com/wiki/Privacy_Act_of_1974), and technology differed back then. The threats differed, vulnerabilities differed.

At the core of "ethical hacking" if I am tasked with discovering vulnerabilities, there is a high likelihood, I am going to trample all over FIPPs style frameworks:

There must be a way for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without his or her consent. (purpose limitation)

At the core of this FIPP statement, no one is giving me a consent as a tester, to access their information. The company storing data is having me test it. How do you solve this paradox?

Frameworks as a whole, are started with good intent, but are often so broad, they become self-defeating. For example, if you look at a PCI transaction, you have data in transit, and data at rest. BOTH can be exploited to some degree (MITM the wire), decrypt stored data. There is NO workaround for these facts. So what do professionals do? They apply bandaids: "implement stronger SSL, encrypt with uber ciphers" but they are not addressing the problem, they are merely delaying (slowing down an attacker).

Strong security needs to begin at the core protocols (OSI layers), where something is going through an SDLC phase, prototype-to-market phase, but the reality is, technology changes so fast, this is not feasible, on any scale. The "thinkers" need to re-think their game plans because by the time you write up any framework, the next best thing comes along, and the framework is then useless. Let alone a 40 year old framework.